IBM Security QRadar

 View Only

  • 1.  Configuring Cisco WSA into QRadar

    Posted Wed August 21, 2019 02:18 PM
    Hi everyone,

    so i was trying to configure our WSA to send syslog to QRadar and so it worked quite well with a small caviot... which is basically there are many different type of events and I was not able to find the information in the documentation as to which type of event is monitored by QRadar.

    I selected W3C Logs however when looking at the Logs all i received was a ton of events W3C logs and it does not seem like it is being parsed...

    Any suggestions?

    Regards,
    Alexandre Laquerre

    ------------------------------
    Alexandre Laquerre
    ------------------------------


  • 2.  RE: Configuring Cisco WSA into QRadar

    Posted Thu August 22, 2019 01:00 AM
    hi,

    While confuguring manually, need to select the Log Source type as " Cisco IRON PORT" and for events parsing, you can manually install CISCO IRONPORT DSM and try

    ------------------------------
    PHANENDRA RAO CHAVANA
    ------------------------------

    Original Message


  • 3.  RE: Configuring Cisco WSA into QRadar

    Posted Fri August 23, 2019 01:59 PM
    Thank you for that answer however my question is when we are configuring the Syslog option in WSA there are multiple types of events you can send however i would like to know which one should we select to be sent to QRadar ?

    Regards,
    Alexandre Laquerre

    ------------------------------
    Alexandre Laquerre
    ------------------------------

    Original Message


  • 4.  RE: Configuring Cisco WSA into QRadar

    Posted Fri August 23, 2019 02:08 PM
    Hi Phanendra,

    what i don't understand is that there is a DSM for Cisco Web Security Appliance....

    Regards,
    Alexandre Laquerre

    ------------------------------
    Alexandre Laquerre
    ------------------------------

    Original Message


  • 5.  RE: Configuring Cisco WSA into QRadar

    Posted Thu August 22, 2019 01:11 AM
    Hi Alexandre,
    Here is a reference to what WSA(Web Security Applications) does.
    https://www.cisco.com/c/en_in/products/security/web-security-appliance/index.html

    There are specific logs for WSA (generated from Cisco WSA server),so W3C logs will cannot be parsed by Cisco WSA app.



    ------------------------------
    Jabez Daniel
    ------------------------------

    Original Message


  • 6.  RE: Configuring Cisco WSA into QRadar

    Posted Fri August 30, 2019 06:28 AM
    Edited by Vladx(x) Fri August 30, 2019 06:28 AM
    Hi,

    We also trying to ingest WSA logs into Qradar and to use WSA App however the app is empty, and due to the lack of documentation we are not sure what logs beyond access logs can be used by Qradar. Also we have errors like this

    Aug 16 12:31:47 xxxxxxxxxxxxx [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:60796] org.antlr.v4.runtime.Parser: [ERROR] [NOT:0000003000][xxxxxxxxxxxx/- -] [-/- -]Field "Application Type" does not exist in catalog "events"

    Any idea what's wrong? 

    Thanks
    Laszlo

    ------------------------------
    Laszlo Pal
    ------------------------------

    Original Message


  • 7.  RE: Configuring Cisco WSA into QRadar

    Posted Mon August 26, 2019 01:05 AM

    Hi Alexandre,
       Yes there are multiple different type of logs you can confire ont he WSA end, we primarily use the access log option for our set-up.

    Cheers
    Brian



    ------------------------------
    Brian Robertson
    ------------------------------

    Original Message